MOUNTAIN VIEW -- Hidden within a nondescript building here is a highly secret Symantec facility protected by the sort of measures found in nuclear missile silos.

Dubbed "the vault" by some employees, the bunkerlike operation bristles with guards, sensors, iris- and fingerprint-reading locks, and a room containing the most privileged data deep within its labyrinthine confines to which only five people have the combination. All that is to ensure no one can sneak in and steal the information Symantec maintains to certify that thousands of widely used websites are legitimate, and that whatever is sent to and from the sites is encrypted against cyberattacks.

Although company officials say hackers frequently try to break into their computer network, they say it has never been breached. And they are so proud of its physical protections, they recently let this newspaper tour the hush-hush complex, on condition its exact location not be revealed.

While Symantec and some other prominent "certificate authorities" take security seriously, experts say, others in the business are far less careful. Citing several recent incidents, these experts contend it's often easy for hackers to compromise weak points in the system and steal credit card numbers, bank account filings, emails or other personal records.

Advertisement

"Right now the whole certificate-authority model is completely broken, but at the same time we have no valid alternative," said Jeremiah Grossman, founder of Santa Clara-based WhiteHat Security. "It's going to take a disruption -- something really bad will have to happen -- and then we'll fix it."

According to research firm Netcraft, the Internet has more than 670 million websites, the vast majority with addresses beginning with HTTP -- for hypertext transfer protocol -- which experts say often can be easily hacked. But about 2 million sites for banks, retailers and others boast HTTPS addresses. That "S" means a certificate authority, like Symantec, has verified their operators' identity and that the information flowing in and out of the sites is encrypted. The sites bear a padlock icon in their addresses, some of which are green to indicate they've undergone additional verification.

However, some of these Web destinations aren't as secure as they seem to be. By breaking into certificate authorities and issuing fake certificates, hackers can decrypt and steal information sent to and from these sites.

In 2011, when prominent Dutch certificate authority DigiNotar was hacked, an investigation determined about 300,000 Iranian Gmail accounts were accessed. The attack -- widely believed to have been launched by the Iranian government to monitor dissidents -- also created havoc in the Netherlands. Its citizens were warned to avoid online transactions and to correspond with the government only via paper, because Dutch authorities feared their own websites might not be safe.

As the world's biggest certificate authority, Symantec strives to avoid being similarly victimized. While it most fears cyberattacks, it also emphasizes the physical security of its location. Surveillance cameras, motion sensors and reinforced walls protect the Mountain View center.

Yet many experts say security procedures vary widely at other certificate authorities -- whose numbers worldwide are estimated at anywhere from 65 to well over 100 -- and that many of them aren't nearly as cautious. No single body polices them. And the standards that industry groups have proposed haven't been universally adopted, which has contributed to confusion about how certificate authorities operate.

"It is an extremely complicated, obscure bureaucracy that only a handful of experts on the planet understand," said Peter Eckersley of the Electronic Frontier Foundation.

One troubling mystery is how often certificate authorities get hacked, which is particularly difficult to determine with operations based overseas, said Adam Langley, a senior staff software engineer at Google (GOOG).

Consequently, "there may be lots of small targeted attacks that we don't know about," he said, adding, "the general system is rather fragile."

Studies suggest many sites certified as safe may not be.

The Electronic Frontier Foundation last year found that thousands of certificates "used to authenticate HTTPS sites are effectively useless, owing to weak algorithms used to generate the random numbers that are needed for encryption." As a result, it concluded, "tens of thousands of sites across the Web are vulnerable to eavesdroppers."

The Trustworthy Internet Movement, a nonprofit group that seeks to bolster Internet security, reported in April that only 22 percent of the 172,598 HTTPS sites it checked were secure.

And Netcraft recently warned that even when fraudulent HTTPS certificates are revoked, people can continue using those sites "for weeks or months without knowing anything is amiss," because browsers often are slow to warn them of the problem.

Recommendations for improving the system range from making more information about certifications public to requiring every site to have HTTPS encryption. But during a recent federal workshop on the issue, researchers with the International Computer Science Institute in Berkeley concluded, "There is no real solution in sight."

Others hope they are wrong.

"All this stuff is really critical in ensuring that e-commerce continues to be viable, so we all feel safe shopping on the Internet," said Paul Meijer, senior director of Symantec's secret center. "That just benefits everybody."

The vast majority of the more-than 670 million Internet sites have addresses that begin with HTTP -- for hypertext transfer protocol -- which experts say often can be easily hacked.About 2 million sites operated by banks, retailers and others boast HTTPS addresses. The "S" means a certificate authority has verified the identity of the sites' operators and that information flowing to and from the sites is encrypted. A padlock icon appears in their addresses, some of which are green to indicate they've undergone additional verification.But experts say security precautions vary among the scores of certificate authorities around the world, making it possible for hackers to sometimes decrypt and steal information sent to and from HTTPS sites.